sibujs 1.2.0 → 1.4.0

package/dist/ssr.cjs

@@ -33,6 +33,7 @@ __export(ssr_exports, {
   createWorkerPool: () => createWorkerPool,
   defineRemoteComponent: () => defineRemoteComponent,
   deserializeState: () => deserializeState,
+  escapeScriptJson: () => escapeScriptJson,
   generateStaticSite: () => generateStaticSite,
   hydrate: () => hydrate,
   hydrateIslands: () => hydrateIslands,
@@ -78,14 +79,63 @@ function devWarn(message) {
   }
 }
 
+// src/utils/sanitize.ts
+function sanitizeUrl(url) {
+  const trimmed = url.replace(/[\x00-\x20\x7f-\x9f]+/g, "").trim();
+  if (!trimmed) return "";
+  const lower = trimmed.toLowerCase();
+  if (lower.startsWith("javascript:") || lower.startsWith("data:") || lower.startsWith("vbscript:") || lower.startsWith("blob:")) {
+    return "";
+  }
+  return trimmed;
+}
+function sanitizeCSSValue(value) {
+  const lower = value.toLowerCase().replace(/\s+/g, "");
+  if (lower.includes("url(") || lower.includes("expression(") || lower.includes("javascript:") || lower.includes("-moz-binding")) {
+    return "";
+  }
+  return value;
+}
+var URL_ATTRIBUTES = /* @__PURE__ */ new Set(["href", "src", "action", "formaction", "cite", "poster", "background", "srcset"]);
+function isUrlAttribute(attr) {
+  return URL_ATTRIBUTES.has(attr);
+}
+
 // src/platform/ssr.ts
 var _isDev2 = isDev();
+var SAFE_ATTR_NAME = /^[A-Za-z_:][-A-Za-z0-9_.:]*$/;
+function isSafeAttrName(name) {
+  return SAFE_ATTR_NAME.test(name);
+}
+function isEventHandlerAttr(name) {
+  if (name.length < 3) return false;
+  const lower = name.toLowerCase();
+  return lower[0] === "o" && lower[1] === "n" && lower.charCodeAt(2) >= 97 && lower.charCodeAt(2) <= 122;
+}
+var URL_ATTRS = /* @__PURE__ */ new Set([
+  "href",
+  "src",
+  "action",
+  "formaction",
+  "cite",
+  "poster",
+  "background",
+  "srcset",
+  "ping",
+  "manifest",
+  "data",
+  "xlink:href"
+]);
 function ssrErrorComment(err) {
   if (_isDev2) {
-    return `<!--SSR error: ${escapeHtml(err instanceof Error ? err.message : String(err))}-->`;
+    const msg = escapeHtml(err instanceof Error ? err.message : String(err));
+    return `<!--SSR error: ${safeCommentText(msg)}-->`;
   }
   return "<!--SSR error-->";
 }
+function safeCommentText(text2) {
+  return text2.replace(/-->/g, "--&gt;").replace(/--!>/g, "--!&gt;").replace(/<!--/g, "&lt;!--").replace(/--$/g, "--&#45;");
+}
 var VOID_ELEMENTS = /* @__PURE__ */ new Set([
   "area",
   "base",
@@ -116,16 +166,30 @@ function renderToString(element) {
     return escapeHtml(element.textContent || "");
   }
   if (element.nodeType === 8) {
-    const content = (element.textContent || "").replace(/-->/g, "--&gt;");
-    return `<!--${content}-->`;
+    return `<!--${safeCommentText(element.textContent || "")}-->`;
   }
   if (!(element instanceof HTMLElement)) {
-    return element.textContent || "";
+    return escapeHtml(element.textContent || "");
   }
   const tag = element.tagName.toLowerCase();
+  if (tag === "script" || tag === "style") {
+    return _isDev2 ? `<!--ssr:${tag}-stripped-->` : "";
+  }
+  if (!/^[a-z][a-z0-9-]*$/i.test(tag)) {
+    return _isDev2 ? "<!--ssr:invalid-tag-->" : "";
+  }
   let html2 = `<${tag}`;
   for (const attr of Array.from(element.attributes)) {
-    html2 += ` ${attr.name}="${escapeAttr(attr.value)}"`;
+    const rawName = attr.name;
+    if (!isSafeAttrName(rawName)) continue;
+    if (isEventHandlerAttr(rawName)) continue;
+    const lowerName = rawName.toLowerCase();
+    let value = attr.value;
+    if (URL_ATTRS.has(lowerName)) {
+      value = sanitizeUrl(value);
+      if (!value) continue;
+    }
+    html2 += ` ${rawName}="${escapeAttr(value)}"`;
   }
   if (element.dataset && !element.dataset.sibuHydrate) {
     html2 += ` data-sibu-ssr="true"`;
@@ -144,8 +208,25 @@ function renderToString(element) {
   html2 += `</${tag}>`;
   return html2;
 }
-function hydrate(component, container) {
+function hydrate(component, container, options = {}) {
   const clientTree = component();
+  if (options.diagnostics) {
+    const mismatches = [];
+    collectMismatches(container.firstElementChild, clientTree, "", mismatches);
+    if (mismatches.length > 0) {
+      const first = mismatches[0];
+      if (options.onMismatch) {
+        options.onMismatch(first);
+      } else if (_isDev2) {
+        console.warn(
+          `[Sibu hydration] ${first.message}
+  at ${first.path}
+  server: ${first.serverValue}
+  client: ${first.clientValue}`
+        );
+      }
+    }
+  }
   hydrateNode(container.firstElementChild, clientTree);
   container.setAttribute("data-sibu-hydrated", "true");
 }
@@ -157,9 +238,119 @@ function hydrateNode(serverNode, clientNode) {
     hydrateNode(serverChildren[i2], clientChildren[i2]);
   }
 }
+function collectMismatches(serverNode, clientNode, path2, out, max = 5) {
+  if (out.length >= max) return;
+  const nodePath = path2 || clientNode?.tagName?.toLowerCase() || "(root)";
+  if (!serverNode && clientNode) {
+    out.push({
+      kind: "child-count",
+      path: nodePath,
+      serverValue: "(missing)",
+      clientValue: clientNode.tagName.toLowerCase(),
+      message: "Client rendered a node that the server did not emit."
+    });
+    return;
+  }
+  if (serverNode && !clientNode) {
+    out.push({
+      kind: "child-count",
+      path: nodePath,
+      serverValue: serverNode.tagName.toLowerCase(),
+      clientValue: "(missing)",
+      message: "Server rendered a node that the client did not produce."
+    });
+    return;
+  }
+  if (!serverNode || !clientNode) return;
+  if (serverNode.tagName !== clientNode.tagName) {
+    out.push({
+      kind: "tag",
+      path: nodePath,
+      serverValue: serverNode.tagName.toLowerCase(),
+      clientValue: clientNode.tagName.toLowerCase(),
+      message: "Element tag mismatch \u2014 server and client disagree on the element type."
+    });
+    return;
+  }
+  const skipAttrs = /* @__PURE__ */ new Set(["data-sibu-ssr", "data-sibu-hydrated", "data-sibu-island"]);
+  const serverAttrs = /* @__PURE__ */ new Map();
+  for (const a2 of Array.from(serverNode.attributes)) {
+    if (!skipAttrs.has(a2.name)) serverAttrs.set(a2.name, a2.value);
+  }
+  const clientAttrs = /* @__PURE__ */ new Map();
+  for (const a2 of Array.from(clientNode.attributes)) {
+    if (!skipAttrs.has(a2.name)) clientAttrs.set(a2.name, a2.value);
+  }
+  for (const [name, value] of serverAttrs) {
+    if (out.length >= max) return;
+    if (!clientAttrs.has(name)) {
+      out.push({
+        kind: "attribute",
+        path: `${nodePath}[${name}]`,
+        serverValue: value,
+        clientValue: "(missing)",
+        message: `Attribute "${name}" present on server but missing on client.`
+      });
+    } else if (clientAttrs.get(name) !== value) {
+      out.push({
+        kind: "attribute",
+        path: `${nodePath}[${name}]`,
+        serverValue: value,
+        clientValue: clientAttrs.get(name) ?? "",
+        message: `Attribute "${name}" differs between server and client.`
+      });
+    }
+  }
+  for (const [name, value] of clientAttrs) {
+    if (out.length >= max) return;
+    if (!serverAttrs.has(name)) {
+      out.push({
+        kind: "attribute",
+        path: `${nodePath}[${name}]`,
+        serverValue: "(missing)",
+        clientValue: value,
+        message: `Attribute "${name}" present on client but missing on server.`
+      });
+    }
+  }
+  const serverChildren = Array.from(serverNode.children);
+  const clientChildren = Array.from(clientNode.children);
+  const max2 = Math.max(serverChildren.length, clientChildren.length);
+  for (let i2 = 0; i2 < max2; i2++) {
+    if (out.length >= max) return;
+    const childPath = `${nodePath} > ${clientChildren[i2]?.tagName?.toLowerCase() ?? serverChildren[i2]?.tagName?.toLowerCase() ?? "?"}:nth-child(${i2 + 1})`;
+    collectMismatches(serverChildren[i2] ?? null, clientChildren[i2] ?? null, childPath, out, max);
+  }
+}
 function trustHTML(html2) {
   return html2;
 }
+function buildAttrString(attrs, { allowEventHandlers = false } = {}) {
+  if (!attrs) return "";
+  const out = [];
+  for (const rawKey of Object.keys(attrs)) {
+    if (!Object.hasOwn(attrs, rawKey)) continue;
+    if (!isSafeAttrName(rawKey)) continue;
+    if (!allowEventHandlers && isEventHandlerAttr(rawKey)) continue;
+    const lowerKey = rawKey.toLowerCase();
+    let value = String(attrs[rawKey]);
+    if (URL_ATTRS.has(lowerKey)) {
+      value = sanitizeUrl(value);
+      if (!value) continue;
+    }
+    out.push(`${rawKey}="${escapeAttr(value)}"`);
+  }
+  return out.join(" ");
+}
+function isDangerousMetaRefresh(metaProps) {
+  const httpEquiv = metaProps["http-equiv"];
+  if (typeof httpEquiv !== "string") return false;
+  if (httpEquiv.toLowerCase() !== "refresh") return false;
+  const content = metaProps.content;
+  if (typeof content !== "string") return false;
+  const normalized = content.replace(/[\x00-\x20\x7f-\x9f]+/g, "").toLowerCase();
+  return normalized.includes("url=javascript:") || normalized.includes("url=data:") || normalized.includes("url=vbscript:") || normalized.includes("url=blob:");
+}
 function renderToDocument(component, options = {}) {
   let content;
   try {
@@ -167,14 +358,22 @@ function renderToDocument(component, options = {}) {
   } catch (err) {
     content = ssrErrorComment(err);
   }
-  const metaTags = (options.meta || []).map(
-    (attrs) => `<meta ${Object.entries(attrs).map(([k, v]) => `${k}="${escapeAttr(v)}"`).join(" ")} />`
-  ).join("\n    ");
-  const linkTags = (options.links || []).map(
-    (attrs) => `<link ${Object.entries(attrs).map(([k, v]) => `${k}="${escapeAttr(v)}"`).join(" ")} />`
-  ).join("\n    ");
-  const scriptTags = (options.scripts || []).map((src) => `<script src="${escapeAttr(src)}"></script>`).join("\n    ");
-  const bodyAttrs = options.bodyAttrs ? " " + Object.entries(options.bodyAttrs).map(([k, v]) => `${k}="${escapeAttr(v)}"`).join(" ") : "";
+  const metaTags = (options.meta || []).map((attrs) => {
+    if (isDangerousMetaRefresh(attrs)) return "";
+    const pairs = buildAttrString(attrs);
+    return pairs ? `<meta ${pairs} />` : "";
+  }).filter(Boolean).join("\n    ");
+  const linkTags = (options.links || []).map((attrs) => {
+    const pairs = buildAttrString(attrs);
+    return pairs ? `<link ${pairs} />` : "";
+  }).filter(Boolean).join("\n    ");
+  const scriptTags = (options.scripts || []).map((src) => {
+    const safe = sanitizeUrl(String(src));
+    if (!safe) return "";
+    return `<script src="${escapeAttr(safe)}"></script>`;
+  }).filter(Boolean).join("\n    ");
+  const bodyAttrPairs = buildAttrString(options.bodyAttrs);
+  const bodyAttrs = bodyAttrPairs ? ` ${bodyAttrPairs}` : "";
   return `<!DOCTYPE html>
 <html>
   <head>
@@ -207,18 +406,34 @@ async function* renderToStream(element) {
     return;
   }
   if (element.nodeType === 8) {
-    const content = (element.textContent || "").replace(/-->/g, "--&gt;");
-    yield `<!--${content}-->`;
+    yield `<!--${safeCommentText(element.textContent || "")}-->`;
     return;
   }
   if (!(element instanceof HTMLElement)) {
-    yield element.textContent || "";
+    yield escapeHtml(element.textContent || "");
     return;
   }
   const tag = element.tagName.toLowerCase();
+  if (tag === "script" || tag === "style") {
+    if (_isDev2) yield `<!--ssr:${tag}-stripped-->`;
+    return;
+  }
+  if (!/^[a-z][a-z0-9-]*$/i.test(tag)) {
+    if (_isDev2) yield "<!--ssr:invalid-tag-->";
+    return;
+  }
   let openTag = `<${tag}`;
   for (const attr of Array.from(element.attributes)) {
-    openTag += ` ${attr.name}="${escapeAttr(attr.value)}"`;
+    const rawName = attr.name;
+    if (!isSafeAttrName(rawName)) continue;
+    if (isEventHandlerAttr(rawName)) continue;
+    const lowerName = rawName.toLowerCase();
+    let value = attr.value;
+    if (URL_ATTRS.has(lowerName)) {
+      value = sanitizeUrl(value);
+      if (!value) continue;
+    }
+    openTag += ` ${rawName}="${escapeAttr(value)}"`;
   }
   if (VOID_ELEMENTS.has(tag)) {
     yield `${openTag} />`;
@@ -266,8 +481,9 @@ function hydrateIslands(container, islands) {
   const markers = container.querySelectorAll("[data-sibu-island]");
   for (const marker2 of Array.from(markers)) {
     const id = marker2.getAttribute("data-sibu-island") ?? "";
+    if (!Object.hasOwn(islands, id)) continue;
     const factory = islands[id];
-    if (!factory) continue;
+    if (typeof factory !== "function") continue;
     const clientTree = factory();
     hydrateNode(marker2, clientTree);
     marker2.setAttribute("data-sibu-hydrated", "true");
@@ -279,8 +495,9 @@ function hydrateProgressively(container, islands, options) {
   const cleanups = [];
   for (const marker2 of Array.from(markers)) {
     const id = marker2.getAttribute("data-sibu-island") ?? "";
+    if (!Object.hasOwn(islands, id)) continue;
     const factory = islands[id];
-    if (!factory) continue;
+    if (typeof factory !== "function") continue;
     const observer = new IntersectionObserver(
       (entries) => {
         for (const entry of entries) {
@@ -319,24 +536,33 @@ function ssrSuspense(props) {
   }));
   return { element: wrapper, promise };
 }
+var SAFE_SUSPENSE_ID = /^[A-Za-z0-9_-]+$/;
 function suspenseSwapScript(id, nonce) {
-  const safeId = id.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/</g, "\\u003c").replace(/>/g, "\\u003e");
+  if (!SAFE_SUSPENSE_ID.test(id)) {
+    throw new Error(
+      `[SibuJS SSR] suspenseSwapScript: id must match [A-Za-z0-9_-]+ (got: ${JSON.stringify(id.slice(0, 32))})`
+    );
+  }
   const nonceAttr = nonce ? ` nonce="${escapeAttr(nonce)}"` : "";
-  return `<script${nonceAttr}>(function(){var t=document.getElementById("sibu-resolved-${safeId}");var f=document.querySelector('[data-sibu-suspense-id="${safeId}"]');if(t&&f){while(t.firstChild)f.appendChild(t.firstChild);t.remove();f.removeAttribute("data-sibu-suspense-id");}})()</script>`;
+  return `<script${nonceAttr}>(function(){var t=document.getElementById("sibu-resolved-${id}");var f=document.querySelector('[data-sibu-suspense-id="${id}"]');if(t&&f){while(t.firstChild)f.appendChild(t.firstChild);t.remove();f.removeAttribute("data-sibu-suspense-id");}})()</script>`;
 }
-async function* renderToSuspenseStream(element, pendingBoundaries = []) {
+async function* renderToSuspenseStream(element, pendingBoundaries = [], options) {
   yield* renderToStream(element);
   if (pendingBoundaries.length > 0) {
     const resolved = await Promise.all(pendingBoundaries);
     for (const { id, html: html2 } of resolved) {
-      yield `<div hidden id="sibu-resolved-${escapeAttr(id)}">${html2}</div>`;
-      yield suspenseSwapScript(id);
+      if (!SAFE_SUSPENSE_ID.test(id)) continue;
+      yield `<div hidden id="sibu-resolved-${id}">${html2}</div>`;
+      yield suspenseSwapScript(id, options?.nonce);
     }
   }
 }
 var SSR_DATA_ATTR = "__SIBU_SSR_DATA__";
+function escapeScriptJson(json) {
+  return json.replace(/</g, "\\u003c").replace(/>/g, "\\u003e").replace(/&/g, "\\u0026").replace(/\u2028/g, "\\u2028").replace(/\u2029/g, "\\u2029");
+}
 function serializeState(state, nonce) {
-  const json = JSON.stringify(state).replace(/</g, "\\u003c").replace(/>/g, "\\u003e").replace(/&/g, "\\u0026");
+  const json = escapeScriptJson(JSON.stringify(state));
   const nonceAttr = nonce ? ` nonce="${escapeAttr(nonce)}"` : "";
   return `<script${nonceAttr}>window.${SSR_DATA_ATTR}=${json}</script>`;
 }
@@ -351,7 +577,7 @@ function escapeHtml(str) {
   return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
 function escapeAttr(str) {
-  return str.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+  return str.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/'/g, "&#39;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
 
 // src/reactivity/track.ts
@@ -622,34 +848,35 @@ function effect(effectFn, options) {
   };
 }
 
-// src/utils/sanitize.ts
-function sanitizeUrl(url) {
-  const trimmed = url.replace(/[\x00-\x20\x7f-\x9f]+/g, "").trim();
-  if (!trimmed) return "";
-  const lower = trimmed.toLowerCase();
-  if (lower.startsWith("javascript:") || lower.startsWith("data:") || lower.startsWith("vbscript:") || lower.startsWith("blob:")) {
-    return "";
-  }
-  return trimmed;
-}
-function sanitizeCSSValue(value) {
-  const lower = value.toLowerCase().replace(/\s+/g, "");
-  if (lower.includes("url(") || lower.includes("expression(") || lower.includes("javascript:") || lower.includes("-moz-binding")) {
-    return "";
-  }
-  return value;
-}
-var URL_ATTRIBUTES = /* @__PURE__ */ new Set(["href", "src", "action", "formaction", "cite", "poster", "background", "srcset"]);
-function isUrlAttribute(attr) {
-  return URL_ATTRIBUTES.has(attr);
-}
-
 // src/platform/head.ts
-var HEAD_URL_ATTRS = /* @__PURE__ */ new Set(["href", "src", "content"]);
+var HEAD_URL_ATTRS = /* @__PURE__ */ new Set(["href", "src"]);
 function sanitizeHeadAttr(key, value) {
   if (HEAD_URL_ATTRS.has(key)) return sanitizeUrl(value);
   return value;
 }
+function isDangerousMetaRefresh2(metaProps) {
+  const httpEquiv = metaProps["http-equiv"];
+  if (typeof httpEquiv !== "string") return false;
+  if (httpEquiv.toLowerCase() !== "refresh") return false;
+  const content = metaProps.content;
+  if (typeof content !== "string") return false;
+  const normalized = content.replace(/[\x00-\x20\x7f-\x9f]+/g, "").toLowerCase();
+  return normalized.includes("url=javascript:") || normalized.includes("url=data:") || normalized.includes("url=vbscript:") || normalized.includes("url=blob:");
+}
+var SAFE_HEAD_ATTR_NAME = /^[A-Za-z_:][-A-Za-z0-9_.:]*$/;
+function isEventHandlerAttr2(name) {
+  if (name.length < 3) return false;
+  const lower = name.toLowerCase();
+  return lower[0] === "o" && lower[1] === "n" && lower.charCodeAt(2) >= 97 && lower.charCodeAt(2) <= 122;
+}
+function isSafeHeadAttr(name) {
+  if (!SAFE_HEAD_ATTR_NAME.test(name)) return false;
+  if (isEventHandlerAttr2(name)) return false;
+  return true;
+}
+function escapeScriptJsonLocal(json) {
+  return json.replace(/</g, "\\u003c").replace(/>/g, "\\u003e").replace(/&/g, "\\u0026").replace(/\u2028/g, "\\u2028").replace(/\u2029/g, "\\u2029");
+}
 function Head(props) {
   const anchor = document.createComment("sibu-head");
   const managedElements = [];
@@ -676,15 +903,17 @@ function Head(props) {
     }
     if (props.meta) {
       for (const metaProps of props.meta) {
+        if (isDangerousMetaRefresh2(metaProps)) continue;
         const el = document.createElement("meta");
         for (const [key, value] of Object.entries(metaProps)) {
+          if (!isSafeHeadAttr(key)) continue;
           if (typeof value === "function") {
             const cleanupFn = effect(() => {
-              el.setAttribute(key, value());
+              el.setAttribute(key, sanitizeHeadAttr(key, value()));
             });
             effectCleanups.push(cleanupFn);
           } else {
-            el.setAttribute(key, value);
+            el.setAttribute(key, sanitizeHeadAttr(key, value));
           }
         }
         document.head.appendChild(el);
@@ -695,6 +924,7 @@ function Head(props) {
       for (const linkProps of props.link) {
         const el = document.createElement("link");
         for (const [key, value] of Object.entries(linkProps)) {
+          if (!isSafeHeadAttr(key)) continue;
           el.setAttribute(key, sanitizeHeadAttr(key, value));
         }
         document.head.appendChild(el);
@@ -705,6 +935,7 @@ function Head(props) {
       for (const scriptProps of props.script) {
         const el = document.createElement("script");
         for (const [key, value] of Object.entries(scriptProps)) {
+          if (!isSafeHeadAttr(key)) continue;
           el.setAttribute(key, sanitizeHeadAttr(key, value));
         }
         document.head.appendChild(el);
@@ -715,7 +946,10 @@ function Head(props) {
       const existing = document.head.querySelector("base");
       if (existing) existing.remove();
       const el = document.createElement("base");
-      if (props.base.href) el.href = props.base.href;
+      if (props.base.href) {
+        const safeHref = sanitizeUrl(props.base.href);
+        if (safeHref) el.href = safeHref;
+      }
       if (props.base.target) el.target = props.base.target;
       document.head.appendChild(el);
       managedElements.push(el);
@@ -730,7 +964,7 @@ function setStructuredData(data2) {
   const script2 = document.createElement("script");
   script2.type = "application/ld+json";
   script2.setAttribute("data-sibu", "true");
-  script2.textContent = JSON.stringify(data2);
+  script2.textContent = escapeScriptJsonLocal(JSON.stringify(data2));
   document.head.appendChild(script2);
 }
 function setCanonical(url) {
@@ -957,7 +1191,20 @@ function createMiddlewareChain() {
 
 // src/reactivity/bindAttribute.ts
 var _isDev5 = isDev();
+function isEventHandlerAttr3(name) {
+  if (name.length < 3) return false;
+  const lower = name.toLowerCase();
+  return lower[0] === "o" && lower[1] === "n" && lower.charCodeAt(2) >= 97 && lower.charCodeAt(2) <= 122;
+}
 function bindAttribute(el, attr, getter) {
+  if (isEventHandlerAttr3(attr)) {
+    if (_isDev5)
+      devWarn(
+        `bindAttribute: refusing to bind event-handler attribute "${attr}". Use on:{ ${attr.slice(2)}: fn } instead.`
+      );
+    return () => {
+    };
+  }
   function commit() {
     let value;
     try {
@@ -1200,16 +1447,20 @@ function appendChildren(el, nodes) {
 var tagFactory = (tag, ns) => (first, second) => {
   const el = ns ? document.createElementNS(ns, tag) : document.createElement(tag);
   if (first === void 0) return el;
-  if (second === void 0 && typeof first === "string") {
+  if (typeof first === "string") {
+    if (second !== void 0) {
+      el.setAttribute("class", first);
+      appendChildren(el, second);
+      return el;
+    }
     el.textContent = first;
     return el;
   }
-  if (second !== void 0) {
-    el.setAttribute("class", first);
-    appendChildren(el, second);
+  if (typeof first === "number") {
+    el.textContent = String(first);
     return el;
   }
-  if (Array.isArray(first) || first instanceof Node) {
+  if (Array.isArray(first) || first instanceof Node || typeof first === "function") {
     appendChildren(el, first);
     return el;
   }
@@ -1218,7 +1469,7 @@ var tagFactory = (tag, ns) => (first, second) => {
   if (pClass != null) applyClass(el, pClass);
   const pId = props.id;
   if (pId != null) el.id = pId;
-  const pNodes = props.nodes;
+  const pNodes = second !== void 0 ? second : props.nodes;
   if (pNodes != null) appendChildren(el, pNodes);
   const pOn = props.on;
   if (pOn) {
@@ -1846,6 +2097,7 @@ function isWasmCached(key) {
   createWorkerPool,
   defineRemoteComponent,
   deserializeState,
+  escapeScriptJson,
   generateStaticSite,
   hydrate,
   hydrateIslands,

package/dist/ssr.d.cts

@@ -1,4 +1,4 @@
-export { T as TrustedHTML, c as collectStream, d as deserializeState, h as hydrate, a as hydrateIslands, b as hydrateProgressively, i as island, r as renderToDocument, e as renderToReadableStream, f as renderToStream, g as renderToString, j as renderToSuspenseStream, k as resetSSRState, s as serializeState, l as ssrSuspense, m as suspenseSwapScript, t as trustHTML } from './ssr-BA6sxxUd.cjs';
+export { H as HydrateOptions, a as HydrationMismatch, T as TrustedHTML, c as collectStream, d as deserializeState, e as escapeScriptJson, h as hydrate, b as hydrateIslands, f as hydrateProgressively, i as island, r as renderToDocument, g as renderToReadableStream, j as renderToStream, k as renderToString, l as renderToSuspenseStream, m as resetSSRState, s as serializeState, n as ssrSuspense, o as suspenseSwapScript, t as trustHTML } from './ssr-Do_SiVoL.cjs';
 
 interface HeadProps {
     title?: string | (() => string);
@@ -18,6 +18,15 @@ interface HeadProps {
 declare function Head(props: HeadProps): Comment;
 /**
  * Sets structured data (JSON-LD) for SEO.
+ *
+ * Security: the serialized JSON is passed through `escapeScriptJsonLocal`
+ * which unicode-escapes `<`, `>`, `&`, `U+2028`, and `U+2029`. This is
+ * defense-in-depth: when the element is inserted via `document.createElement`
+ * + `textContent` the browser will NOT re-parse the body, so `</script>`
+ * cannot break out of the tag at insertion time. However, tools that
+ * later serialize `document.head.innerHTML` DO re-parse, and the server
+ * side of any SSR roundtrip would see the raw text. Escaping here makes
+ * both paths safe.
  */
 declare function setStructuredData(data: Record<string, unknown>): void;
 /**

package/dist/ssr.d.ts

@@ -1,4 +1,4 @@
-export { T as TrustedHTML, c as collectStream, d as deserializeState, h as hydrate, a as hydrateIslands, b as hydrateProgressively, i as island, r as renderToDocument, e as renderToReadableStream, f as renderToStream, g as renderToString, j as renderToSuspenseStream, k as resetSSRState, s as serializeState, l as ssrSuspense, m as suspenseSwapScript, t as trustHTML } from './ssr-BA6sxxUd.js';
+export { H as HydrateOptions, a as HydrationMismatch, T as TrustedHTML, c as collectStream, d as deserializeState, e as escapeScriptJson, h as hydrate, b as hydrateIslands, f as hydrateProgressively, i as island, r as renderToDocument, g as renderToReadableStream, j as renderToStream, k as renderToString, l as renderToSuspenseStream, m as resetSSRState, s as serializeState, n as ssrSuspense, o as suspenseSwapScript, t as trustHTML } from './ssr-Do_SiVoL.js';
 
 interface HeadProps {
     title?: string | (() => string);
@@ -18,6 +18,15 @@ interface HeadProps {
 declare function Head(props: HeadProps): Comment;
 /**
  * Sets structured data (JSON-LD) for SEO.
+ *
+ * Security: the serialized JSON is passed through `escapeScriptJsonLocal`
+ * which unicode-escapes `<`, `>`, `&`, `U+2028`, and `U+2029`. This is
+ * defense-in-depth: when the element is inserted via `document.createElement`
+ * + `textContent` the browser will NOT re-parse the body, so `</script>`
+ * cannot break out of the tag at insertion time. However, tools that
+ * later serialize `document.head.innerHTML` DO re-parse, and the server
+ * side of any SSR roundtrip would see the raw text. Escaping here makes
+ * both paths safe.
  */
 declare function setStructuredData(data: Record<string, unknown>): void;
 /**

package/dist/ssr.js

@@ -22,10 +22,11 @@ import {
   wasm,
   worker,
   workerFn
-} from "./chunk-VMVDTCXB.js";
+} from "./chunk-2BYQDGN3.js";
 import {
   collectStream,
   deserializeState,
+  escapeScriptJson,
   hydrate,
   hydrateIslands,
   hydrateProgressively,
@@ -40,15 +41,16 @@ import {
   ssrSuspense,
   suspenseSwapScript,
   trustHTML
-} from "./chunk-WUHJISPP.js";
-import "./chunk-GCOK2LC3.js";
-import "./chunk-B7SWRFUT.js";
-import "./chunk-23VV7YD3.js";
-import "./chunk-6SA3QQES.js";
-import "./chunk-CHJ27IGK.js";
-import "./chunk-V2XTI523.js";
-import "./chunk-UNXCEF6S.js";
-import "./chunk-MLKGABMK.js";
+} from "./chunk-3X2YG6YM.js";
+import "./chunk-32DY64NT.js";
+import "./chunk-F3FA4F32.js";
+import "./chunk-PTQJDMRT.js";
+import "./chunk-CMBFNA7L.js";
+import "./chunk-CHF5OHIA.js";
+import "./chunk-EUZND3CB.js";
+import "./chunk-WZSPOOER.js";
+import "./chunk-ZD6OAMTH.js";
+import "./chunk-5X6PP2UK.js";
 export {
   Head,
   clearWasmCache,
@@ -63,6 +65,7 @@ export {
   createWorkerPool,
   defineRemoteComponent,
   deserializeState,
+  escapeScriptJson,
   generateStaticSite,
   hydrate,
   hydrateIslands,